MoltAuth

Security checks across malware telemetry and agentic risk

Overview

MoltAuth is a coherent authentication skill, but users should treat its external packages, private keys, and signed remote requests with normal credential-care.

Before installing, verify the PyPI or npm package provenance, pin versions where appropriate, store the generated private key in a protected secret store, and only send signed requests to destinations and with payloads you are comfortable associating with the persistent Molt agent identity.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The README demonstrates making authenticated requests to external Molt services using a persistent private key, but it does not clearly warn users that request metadata, signatures, and potentially request bodies will be transmitted to third-party infrastructure. In an agent-skill context, developers may copy this pattern into autonomous workflows without understanding the privacy, trust, and data-exfiltration implications of sending signed traffic to external services.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal